{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":474162642,"defaultBranch":"main","name":"slsa-verifier","ownerLogin":"slsa-framework","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2022-03-25T21:01:47.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/80431187?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1715800629.0","currentOid":""},"activityList":{"items":[{"before":"b55bf59ce412a967accc486813f59d356336e8b8","after":"18c5f13b3ecdf5b79db7448291d3c5aa67683157","ref":"refs/heads/main","pushedAt":"2024-05-22T16:45:21.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"fix: signoff commit (#767)\n\nFollowup to https://github.com/slsa-framework/slsa-verifier/pull/760\r\n\r\nFix the .github/workflows/update-actions-dist-post-commit.yml workflow\r\nto also signoff commit\r\n\r\n# Testing\r\n\r\n- [x] Invoked this PR's branch copy of the workflow against #717, and it\r\ndid signoff the commit.\r\n-\r\nhttps://github.com/slsa-framework/slsa-verifier/pull/717/commits/9670f76ab8b64299c58096a19212b558dce94b90\r\n\r\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"fix: signoff commit (#767)"}},{"before":"138e5efdb05ad28a837629d0470304945e1e82f1","after":"3c0bb06f496c46ddb4a06eb066e4eb5049fec04a","ref":"refs/heads/ramonpetgrave64-patch-4","pushedAt":"2024-05-22T16:30:55.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"Merge branch 'main' into ramonpetgrave64-patch-4","shortMessageHtmlLink":"Merge branch 'main' into ramonpetgrave64-patch-4"}},{"before":"87b5bae6d4230aab069db8488e975e3e9b7c684e","after":"b55bf59ce412a967accc486813f59d356336e8b8","ref":"refs/heads/main","pushedAt":"2024-05-22T16:20:16.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"fix: use pr_number as env variable (#771)\n\nchanging the update-dist workflow to use the `pr_number` input as an env\r\nvariable to avoid [script\r\ninjection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).\r\n\r\nOur workflows are only invokable by our trusted maintainers so we should\r\nbe okay. This is just an extra hardening measure.\r\n\r\nOpen issue\r\nhttps://github.com/actions/runner/issues/1070#issuecomment-2113287699\r\n\r\n## Testing\r\n\r\nI confirmed the issue by invoking the workflow with `650 && echo SCRIPT\r\nINJECTION`, and it did also do the extra `echo` command.\r\n-\r\nhttps://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36\r\n\r\nafter invoking the workflow again with this PR's version, the problem is\r\nmitigated.\r\n-\r\nhttps://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8\r\n-\r\nhttps://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7\r\n\r\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"fix: use pr_number as env variable (#771)"}},{"before":"2bb12aa5d89c0e51592d09c662d0afd0d1a7a596","after":"dd50331515204123c85f7e0e8d98dec09650b7af","ref":"refs/heads/ramonpetgrave64-patch-5","pushedAt":"2024-05-16T18:16:12.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"Merge branch 'main' into ramonpetgrave64-patch-5","shortMessageHtmlLink":"Merge branch 'main' into ramonpetgrave64-patch-5"}},{"before":"138a2348fce97bae5320969ddb4d5a33a967a9aa","after":"87b5bae6d4230aab069db8488e975e3e9b7c684e","ref":"refs/heads/main","pushedAt":"2024-05-15T22:13:09.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ianlewis","name":"Ian Lewis","path":"/ianlewis","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49289?s=80&v=4"},"commit":{"message":"chore: Update Renovate config (#769)\n\n# Summary\r\n\r\nUpdates renovate config to use the\r\n[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)\r\npreset rather than the `config:base` preset since `config:base` seems to\r\nbe deprecated.\r\n\r\nAlso updates the `schedule` config to use the\r\n[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)\r\npreset.\r\n\r\nAlso adds a pre-submit to run the\r\n[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)\r\nto ensure that renovate config is valid. This pre-submit will need to be\r\nmade required in the repository branch protection rule for `main` in the\r\nrepository settings after this PR is merged.\r\n\r\n---------\r\n\r\nSigned-off-by: Ian Lewis \r\nSigned-off-by: Ian Lewis \r\nCo-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"chore: Update Renovate config (#769)"}},{"before":null,"after":"2bb12aa5d89c0e51592d09c662d0afd0d1a7a596","ref":"refs/heads/ramonpetgrave64-patch-5","pushedAt":"2024-05-15T19:17:09.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"use pr_number as env variable\n\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"use pr_number as env variable"}},{"before":"cd2f897b55cef298a4930d99ba18d625812c47d2","after":"138e5efdb05ad28a837629d0470304945e1e82f1","ref":"refs/heads/ramonpetgrave64-patch-4","pushedAt":"2024-05-15T19:07:21.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"Merge branch 'main' into ramonpetgrave64-patch-4","shortMessageHtmlLink":"Merge branch 'main' into ramonpetgrave64-patch-4"}},{"before":"e7a8f74b9ca5838dbb2042308c889db9e73886f7","after":"138a2348fce97bae5320969ddb4d5a33a967a9aa","ref":"refs/heads/main","pushedAt":"2024-05-15T16:10:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"chore: fix pr-title-checker (#770)\n\nUpdates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version\r\ncomment.\r\n\r\nSigned-off-by: Ian Lewis ","shortMessageHtmlLink":"chore: fix pr-title-checker (#770)"}},{"before":"a86fd4dfa293ff5820a8b1e63fbbe3fd27ac5e6d","after":"cd2f897b55cef298a4930d99ba18d625812c47d2","ref":"refs/heads/ramonpetgrave64-patch-4","pushedAt":"2024-05-08T13:57:10.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"Merge branch 'main' into ramonpetgrave64-patch-4","shortMessageHtmlLink":"Merge branch 'main' into ramonpetgrave64-patch-4"}},{"before":"23160d82c0c0d434903e5c72a0cc51439468d1ba","after":"e7a8f74b9ca5838dbb2042308c889db9e73886f7","ref":"refs/heads/main","pushedAt":"2024-05-07T18:09:48.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"fix(deps): update dependency @actions/core to v1.10.1 (#717)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Change | Age | Adoption | Passing | Confidence |\r\n|---|---|---|---|---|---|\r\n|\r\n[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)\r\n([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))\r\n| [`1.10.0` ->\r\n`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n\r\nactions/toolkit (@actions/core)
\r\n\r\n###\r\n[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)\r\n\r\n- Fix error message reference in oidc utils\r\n[#1511](https://togithub.com/actions/toolkit/pull/1511)\r\n\r\n \r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\n---------\r\n\r\nSigned-off-by: Mend Renovate \r\nSigned-off-by: github-actions \r\nCo-authored-by: github-actions ","shortMessageHtmlLink":"fix(deps): update dependency @actions/core to v1.10.1 (#717)"}},{"before":null,"after":"a86fd4dfa293ff5820a8b1e63fbbe3fd27ac5e6d","ref":"refs/heads/ramonpetgrave64-patch-4","pushedAt":"2024-05-07T16:29:54.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"signoff commit\n\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"signoff commit"}},{"before":"9c4e2196d868e09136dd59f0898b786a5faf3d95","after":"23160d82c0c0d434903e5c72a0cc51439468d1ba","ref":"refs/heads/main","pushedAt":"2024-05-06T21:56:35.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"feat: workflow to update actions dist (#760)\n\nAdd a new Post-Commit workflow, to make these renovate-bot updates a bit\r\neasier.\r\nPreviously, we had to clone the PR locally, run `make package`, and then\r\npush to the PR.\r\nNow we would just need to use the github UI to invoke this new workflow\r\nagainst the PR number.\r\nWe could also copy this over to the slsa-github-generator repo.\r\n\r\n> A workflow to run against renovate-bot's PRs,\r\n> such as `make package` after it updates the package.json and\r\npackage-lock.json files.\r\n> The potentially untrusted code is first run inside a low-privilege\r\nJob, and the diff is uploaded as an artifact.\r\n> Then a higher-privilege Job applies the diff and pushes the changes to\r\nthe PR.\r\n> It's important to only run this workflow against PRs from trusted\r\nsources, after also reviewing the changes!\r\n\r\n## Testing.\r\n\r\nTested in my own private fork, where when applicable, it pushed a commit\r\nof changes to `dist/` folders\r\n-\r\nhttps://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483\r\n - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits\r\n-\r\nhttps://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353\r\n - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits\r\n\r\n---------\r\n\r\nSigned-off-by: Ramon Petgrave \r\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"feat: workflow to update actions dist (#760)"}},{"before":"f787eeebf7211177c8846b6cc100e2fd630ee226","after":"9c4e2196d868e09136dd59f0898b786a5faf3d95","ref":"refs/heads/main","pushedAt":"2024-05-06T16:01:16.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 (#763)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Type | Update | Change |\r\n|---|---|---|---|\r\n| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate \r\nCo-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"chore(deps): update gcr.io/distroless/base:nonroot docker digest to 5…"}},{"before":"637b07fdab003d8d852a2d7196d35a558da89a93","after":"f787eeebf7211177c8846b6cc100e2fd630ee226","ref":"refs/heads/main","pushedAt":"2024-05-06T15:48:47.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"chore(deps): update golang:1.21 docker digest to d83472f (#764)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Type | Update | Change |\r\n|---|---|---|---|\r\n| golang | stage | digest | `81811f8` -> `d83472f` |\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"chore(deps): update golang:1.21 docker digest to d83472f (#764)"}},{"before":null,"after":"069292bae120fcf4447d811a521ea3af51063ebb","ref":"refs/heads/post-commit-no-contents-write","pushedAt":"2024-05-02T16:27:32.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"temp move to another exsiting file in main\n\nSigned-off-by: Ramon Petgrave ","shortMessageHtmlLink":"temp move to another exsiting file in main"}},{"before":null,"after":"4f6d0b94a7656f04a955a96c35a8b4300c2ff495","ref":"refs/heads/ramonpetgrave64-patch-3","pushedAt":"2024-04-29T18:32:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"add MarkLodato\n\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"add MarkLodato"}},{"before":"637b07fdab003d8d852a2d7196d35a558da89a93","after":null,"ref":"refs/tags/2.5.1-dev.2","pushedAt":"2024-04-24T19:07:20.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"}},{"before":null,"after":"312e51b12f9a2635f18b63d01bc0721b688c03a0","ref":"refs/heads/ramonpetgrave64-patch-2","pushedAt":"2024-04-24T18:44:40.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"hello\n\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"hello"}},{"before":"ded6c909ff001d7373a39a4de996f7ce03bbdb40","after":"a072d5e3a611369ec42e296f072d6c64868186d4","ref":"refs/heads/laurentsimon-patch-2","pushedAt":"2024-04-24T18:37:00.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"empty\n\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"empty"}},{"before":null,"after":"637b07fdab003d8d852a2d7196d35a558da89a93","ref":"refs/heads/test000","pushedAt":"2024-04-24T18:36:36.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"kpk47","name":null,"path":"/kpk47","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1079282?s=80&v=4"},"commit":{"message":"chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758)\n\nhttps://github.com/slsa-framework/slsa-github-generator/issues/3576\r\n\r\nNext step in \r\n\r\nhttps://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier\r\n\r\nCreating new test data for slsa-github-generator@v2.0.0\r\n\r\n# Instructions:\r\n\r\n## diff to download-artifacts.sh\r\n\r\n```\r\ndiff --git a/download-artifacts.sh b/download-artifacts.sh\r\nold mode 100644\r\nnew mode 100755\r\nindex e5e218e8..49257ea6\r\n--- a/download-artifacts.sh\r\n+++ b/download-artifacts.sh\r\n@@ -88,6 +88,10 @@ unzip_files() {\r\n rm -rf \"${tmp_dir}\"\r\n ;;\r\n \r\n+ ./*.zip)\r\n+ unzip -o \"${zip_path}\" -d \"${output_path}\"\r\n+ ;;\r\n+\r\n *)\r\n echo \"unexpected file path: ${zip_path}\"\r\n exit 1\r\n@@ -167,7 +171,7 @@ rename_java_files \"test-java-project-\" \"maven\"\r\n rename_java_files \"workflow_dispatch-\" \"gradle\"\r\n \r\n # Files downloaded. Now copy them\r\n-repo_path=\"../..\"\r\n+repo_path=\"/path/to/slsa-verifier\"\r\n \r\n # Go builder files.\r\n copy_files \"gha_go-binary-linux-amd64-\" \"${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}\"\r\n```\r\n\r\n## download the artifacts\r\n\r\n```\r\n../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0\r\n../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0\r\n../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0\r\n../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0\r\n```\r\n\r\n## docker github auth\r\n\r\n```\r\ngh auth login --scopes=read:packages\r\necho `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin\r\ncosign save \\\r\n --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \\\r\n ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d\r\n```\r\n\r\n---------\r\n\r\nSigned-off-by: Ramon Petgrave ","shortMessageHtmlLink":"chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758)"}},{"before":"637b07fdab003d8d852a2d7196d35a558da89a93","after":null,"ref":"refs/tags/2.5.1-dev.1","pushedAt":"2024-04-24T18:23:41.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"}},{"before":"ee32cbff7ea7513e12b7e0ee46d26789e1671034","after":"637b07fdab003d8d852a2d7196d35a558da89a93","ref":"refs/heads/main","pushedAt":"2024-04-23T16:26:13.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758)\n\nhttps://github.com/slsa-framework/slsa-github-generator/issues/3576\r\n\r\nNext step in \r\n\r\nhttps://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier\r\n\r\nCreating new test data for slsa-github-generator@v2.0.0\r\n\r\n# Instructions:\r\n\r\n## diff to download-artifacts.sh\r\n\r\n```\r\ndiff --git a/download-artifacts.sh b/download-artifacts.sh\r\nold mode 100644\r\nnew mode 100755\r\nindex e5e218e8..49257ea6\r\n--- a/download-artifacts.sh\r\n+++ b/download-artifacts.sh\r\n@@ -88,6 +88,10 @@ unzip_files() {\r\n rm -rf \"${tmp_dir}\"\r\n ;;\r\n \r\n+ ./*.zip)\r\n+ unzip -o \"${zip_path}\" -d \"${output_path}\"\r\n+ ;;\r\n+\r\n *)\r\n echo \"unexpected file path: ${zip_path}\"\r\n exit 1\r\n@@ -167,7 +171,7 @@ rename_java_files \"test-java-project-\" \"maven\"\r\n rename_java_files \"workflow_dispatch-\" \"gradle\"\r\n \r\n # Files downloaded. Now copy them\r\n-repo_path=\"../..\"\r\n+repo_path=\"/path/to/slsa-verifier\"\r\n \r\n # Go builder files.\r\n copy_files \"gha_go-binary-linux-amd64-\" \"${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}\"\r\n```\r\n\r\n## download the artifacts\r\n\r\n```\r\n../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0\r\n../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0\r\n../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0\r\n../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0\r\n```\r\n\r\n## docker github auth\r\n\r\n```\r\ngh auth login --scopes=read:packages\r\necho `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin\r\ncosign save \\\r\n --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \\\r\n ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d\r\n```\r\n\r\n---------\r\n\r\nSigned-off-by: Ramon Petgrave ","shortMessageHtmlLink":"chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758)"}},{"before":"41733f74c025cc6d156547121989dd50fbc92364","after":null,"ref":"refs/tags/v2.0.0-rc.0","pushedAt":"2024-04-18T20:21:25.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"}},{"before":"79d225bb44af886799ee76761eac7f28fe610707","after":"ee32cbff7ea7513e12b7e0ee46d26789e1671034","ref":"refs/heads/main","pushedAt":"2024-04-18T16:46:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"chore(deps): update golang:1.21 docker digest to 81811f8 (#693)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Type | Update | Change |\r\n|---|---|---|---|\r\n| golang | stage | digest | `ec457a2` -> `81811f8` |\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate \r\nCo-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"chore(deps): update golang:1.21 docker digest to 81811f8 (#693)"}},{"before":"8c9ed07f8fd108ae6a7a268e5514c9a0caebb6d5","after":"79d225bb44af886799ee76761eac7f28fe610707","ref":"refs/heads/main","pushedAt":"2024-04-18T16:33:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] (#723)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Change | Age | Adoption | Passing | Confidence |\r\n|---|---|---|---|---|---|\r\n| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)\r\n| `v2.2.0` -> `v2.2.4` |\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n### GitHub Vulnerability Alerts\r\n\r\n####\r\n[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9)\r\n\r\n### Summary\r\nCosign is susceptible to a denial of service by an attacker controlled\r\nregistry. An attacker who controls a remote registry can return a high\r\nnumber of attestations and/or signatures to Cosign and cause Cosign to\r\nenter a long loop resulting in an endless data attack. The root cause is\r\nthat Cosign loops through all attestations fetched from the remote\r\nregistry in `pkg/cosign.FetchAttestations`.\r\n\r\nThe attacker needs to compromise the registry or make a request to a\r\nregistry they control. When doing so, the attacker must return a high\r\nnumber of attestations in the response to Cosign. The result will be\r\nthat the attacker can cause Cosign to go into a long or infinite loop\r\nthat will prevent other users from verifying their data. In Kyvernos\r\ncase, an attacker whose privileges are limited to making requests to the\r\ncluster can make a request with an image reference to their own\r\nregistry, trigger the infinite loop and deny other users from completing\r\ntheir admission requests. Alternatively, the attacker can obtain control\r\nof the registry used by an organization and return a high number of\r\nattestations instead the expected number of attestations.\r\n\r\nThe vulnerable loop in Cosign starts on line 154 below:\r\n\r\nhttps://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196\r\n\r\nThe `l` slice is controllable by an attacker who controls the remote\r\nregistry.\r\n\r\nMany cloud-native projects consider the remote registry to be untrusted,\r\nincluding Crossplane, Notary and Kyverno. We consider the same to be the\r\ncase for Cosign, since users are not in control of whether the registry\r\nreturns the expected data.\r\n\r\nTUF's security model labels this type of vulnerability an [\"Endless data\r\nattack\"](https://theupdateframework.io/security/), but an attacker could\r\nuse this as a type of rollback attack, in case the user attempts to\r\ndeploy a patched version of a vulnerable image; The attacker could\r\nprevent this upgrade by causing Cosign to get stuck in an infinite loop\r\nand never complete.\r\n\r\n### Mitigation\r\nThe issue can be mitigated rather simply by setting a limit to the limit\r\nof attestations that Cosign will loop through. The limit does not need\r\nto be high to be within the vast majority of use cases and still prevent\r\nthe endless data attack.\r\n\r\n####\r\n[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc)\r\n\r\n### Summary\r\nA remote image with a malicious attachment can cause denial of service\r\nof the host machine running Cosign. This can impact other services on\r\nthe machine that rely on having memory available such as a Redis\r\ndatabase which can result in data loss. It can also impact the\r\navailability of other services on the machine that will not be available\r\nfor the duration of the machine denial.\r\n\r\n### Details\r\nThe root cause of this issue is that Cosign reads the attachment from a\r\nremote image entirely into memory without checking the size of the\r\nattachment first. As such, a large attachment can make Cosign read a\r\nlarge attachment into memory; If the attachments size is larger than the\r\nmachine has memory available, the machine will be denied of service. The\r\nGo runtime will make a `SIGKILL` after a few seconds of system-wide\r\ndenial.\r\n\r\nThe root cause is that Cosign reads the contents of the attachments\r\nentirely into memory on line 238 below:\r\n\r\n\r\nhttps://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239\r\n\r\n...and prior to that, neither Cosign nor go-containerregistry checks the\r\nsize of the attachment and enforces a max cap. In the case of a remote\r\nlayer of `f *attached`, go-containerregistry will invoke this API:\r\n\r\n\r\nhttps://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40\r\n```golang\r\nfunc (rl *remoteLayer) Compressed() (io.ReadCloser, error) {\r\n\t// We don't want to log binary layers -- this can break terminals.\r\n\tctx := redact.NewContext(rl.ctx, \"omitting binary blobs from logs\")\r\n\treturn rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)\r\n}\r\n```\r\n\r\nNotice that the second argument to `rl.fetcher.fetchBlob` is\r\n`verify.SizeUnknown` which results in not using the `io.LimitReader` in\r\n`verify.ReadCloser`:\r\n\r\nhttps://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100\r\n```golang\r\nfunc ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {\r\n\tw, err := v1.Hasher(h.Algorithm)\r\n\tif err != nil {\r\n\t\treturn nil, err\r\n\t}\r\n\tr2 := io.TeeReader(r, w) // pass all writes to the hasher.\r\n\tif size != SizeUnknown {\r\n\t\tr2 = io.LimitReader(r2, size) // if we know the size, limit to that size.\r\n\t}\r\n\treturn &and.ReadCloser{\r\n\t\tReader: &verifyReader{\r\n\t\t\tinner: r2,\r\n\t\t\thasher: w,\r\n\t\t\texpected: h,\r\n\t\t\twantSize: size,\r\n\t\t},\r\n\t\tCloseFunc: r.Close,\r\n\t}, nil\r\n}\r\n```\r\n\r\n### Impact\r\nThis issue can allow a supply-chain escalation from a compromised\r\nregistry to the Cosign user: If an attacher has compromised a registry\r\nor the account of an image vendor, they can include a malicious\r\nattachment and hurt the image consumer.\r\n\r\n### Remediation\r\nUpdate to the latest version of Cosign, which limits the number of\r\nattachments. An environment variable can override this value.\r\n\r\n####\r\n[CVE-2024-29903](https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv)\r\n\r\nMaliciously-crafted software artifacts can cause denial of service of\r\nthe machine running Cosign, thereby impacting all services on the\r\nmachine. The root cause is that Cosign creates slices based on the\r\nnumber of signatures, manifests or attestations in untrusted artifacts.\r\nAs such, the untrusted artifact can control the amount of memory that\r\nCosign allocates.\r\n\r\nAs an example, these lines demonstrate the problem:\r\n\r\n\r\nhttps://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70\r\n\r\nThis `Get()` method gets the manifest of the image, allocates a slice\r\nequal to the length of the layers in the manifest, loops through the\r\nlayers and adds a new signature to the slice.\r\n\r\nThe exact issue is Cosign allocates excessive memory on the lines that\r\ncreates a slice of the same length as the manifests.\r\n\r\n## Remediation\r\n\r\nUpdate to the latest version of Cosign, where the number of\r\nattestations, signatures and manifests has been limited to a reasonable\r\nvalue.\r\n\r\n## Cosign PoC\r\n\r\nIn the case of this API (also referenced above):\r\n\r\n\r\nhttps://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70\r\n\r\n… The first line can contain a length that is safe for the system and\r\nwill not throw a runtime panic or be blocked by other safety mechanisms.\r\nFor the sake of argument, let’s say that the length of `m, err :=\r\ns.Manifest()` is the max allowed (by the machine without throwing OOM\r\npanics) manifests minus 1. When Cosign then allocates a new slice on\r\nthis line: `signatures := make([]oci.Signature, 0, len(m.Layers))`,\r\nCosign will allocate more memory than is available and the machine will\r\nbe denied of service, causing Cosign and all other services on the\r\nmachine to be unavailable.\r\n\r\nTo illustrate the issue here, we run a modified version of\r\n`TestSignedImageIndex()` in `pkg/oci/remote`:\r\n\r\n\r\nhttps://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57\r\n\r\nHere, `wantLayers` is the number of manifests from these lines:\r\n\r\n\r\nhttps://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60\r\n\r\nTo test this, we want to make `wantLayers` high enough to not cause a\r\nmemory on its own but still trigger the machine-wide OOM when a slice\r\ngets create with the same length. On my local machine, it would take\r\nhours to create a slice of layers that fulfils that criteria, so instead\r\nI modify the Cosign production code to reflect a long list of manifests:\r\n\r\n```golang\r\n// Get implements oci.Signatures\r\nfunc (s *sigs) Get() ([]oci.Signature, error) {\r\n m, err := s.Manifest()\r\n if err != nil {\r\n return nil, err\r\n }\r\n // Here we imitate a long list of manifests\r\n ms := make([]byte, 2600000000) // imitate a long list of manifests\r\n signatures := make([]oci.Signature, 0, len(ms))\r\n panic(\"Done\")\r\n //signatures := make([]oci.Signature, 0, len(m.Layers))\r\n for _, desc := range m.Layers {\r\n```\r\n\r\nWith this modified code, if we can cause an OOM without triggering the\r\n`panic(\"Done\")`, we have succeeded.\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n\r\nsigstore/cosign (github.com/sigstore/cosign/v2)
\r\n\r\n###\r\n[`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224)\r\n\r\n[Compare\r\nSource](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4)\r\n\r\n#### Bug Fixes\r\n\r\n- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv\r\n([#3661](https://togithub.com/sigstore/cosign/issues/3661))\r\n- ErrNoSignaturesFound should be used when there is no signature\r\nattached to an image.\r\n([#3526](https://togithub.com/sigstore/cosign/issues/3526))\r\n- fix semgrep issues for dgryski.semgrep-go ruleset\r\n([#3541](https://togithub.com/sigstore/cosign/issues/3541))\r\n- Honor creation timestamp for signatures again\r\n([#3549](https://togithub.com/sigstore/cosign/issues/3549))\r\n\r\n#### Features\r\n\r\n- Adds Support for Fulcio Client Credentials Flow, and Argument to Set\r\nFlow Explicitly\r\n([#3578](https://togithub.com/sigstore/cosign/issues/3578))\r\n\r\n#### Documentation\r\n\r\n- add oci bundle spec\r\n([#3622](https://togithub.com/sigstore/cosign/issues/3622))\r\n- Correct help text of triangulate cmd\r\n([#3551](https://togithub.com/sigstore/cosign/issues/3551))\r\n- Correct help text of verify-attestation policy argument\r\n([#3527](https://togithub.com/sigstore/cosign/issues/3527))\r\n- feat: add OVHcloud MPR registry tested with cosign\r\n([#3639](https://togithub.com/sigstore/cosign/issues/3639))\r\n\r\n#### Testing\r\n\r\n- Refactor e2e-tests.yml workflow\r\n([#3627](https://togithub.com/sigstore/cosign/issues/3627))\r\n- Clean up and clarify e2e scripts\r\n([#3628](https://togithub.com/sigstore/cosign/issues/3628))\r\n- Don't ignore transparency log in tests if possible\r\n([#3528](https://togithub.com/sigstore/cosign/issues/3528))\r\n- Make E2E tests hermetic\r\n([#3499](https://togithub.com/sigstore/cosign/issues/3499))\r\n- add e2e test for pkcs11 token signing\r\n([#3495](https://togithub.com/sigstore/cosign/issues/3495))\r\n\r\n###\r\n[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223)\r\n\r\n[Compare\r\nSource](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3)\r\n\r\n#### Bug Fixes\r\n\r\n- Fix race condition on verification with multiple signatures attached\r\nto image\r\n([#3486](https://togithub.com/sigstore/cosign/issues/3486))\r\n- fix(clean): Fix clean cmd for private registries\r\n([#3446](https://togithub.com/sigstore/cosign/issues/3446))\r\n- Fixed BYO PKI verification\r\n([#3427](https://togithub.com/sigstore/cosign/issues/3427))\r\n\r\n#### Features\r\n\r\n- Allow for option in cosign attest and attest-blob to upload\r\nattestation as supported in Rekor\r\n([#3466](https://togithub.com/sigstore/cosign/issues/3466))\r\n- Add support for OpenVEX predicate type\r\n([#3405](https://togithub.com/sigstore/cosign/issues/3405))\r\n\r\n#### Documentation\r\n\r\n- Resolves\r\n[#3088](https://togithub.com/sigstore/cosign/issues/3088):\r\n`version` sub-command expected behaviour documentation and testing\r\n([#3447](https://togithub.com/sigstore/cosign/issues/3447))\r\n- add examples for cosign attach signature cmd\r\n([#3468](https://togithub.com/sigstore/cosign/issues/3468))\r\n\r\n#### Misc\r\n\r\n- Remove CertSubject function\r\n([#3467](https://togithub.com/sigstore/cosign/issues/3467))\r\n- Use local rekor and fulcio instances in e2e tests\r\n([#3478](https://togithub.com/sigstore/cosign/issues/3478))\r\n\r\n#### Contributors\r\n\r\n- aalsabag\r\n- Bob Callaway\r\n- Carlos Tadeu Panato Junior\r\n- Colleen Murphy\r\n- Hayden B\r\n- Mukuls77\r\n- Omri Bornstein\r\n- Puerco\r\n- vivek kumar sahu\r\n\r\n###\r\n[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222)\r\n\r\n[Compare\r\nSource](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2)\r\n\r\nv2.2.2 adds a new container with a shell,\r\n`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing\r\ncontainer `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.\r\n\r\nFor private deployments, we have also added an alias for\r\n`--insecure-skip-log`, `--private-infrastructure`.\r\n\r\n#### Bug Fixes\r\n\r\n- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6\r\n([#3411](https://togithub.com/sigstore/cosign/issues/3411)) which\r\nfixes a bug with using Azure KMS\r\n- Don't require CT log keys if using a key/sk\r\n([#3415](https://togithub.com/sigstore/cosign/issues/3415))\r\n- Fix copy without any flag set\r\n([#3409](https://togithub.com/sigstore/cosign/issues/3409))\r\n- Update cosign generate cmd to not include newline\r\n([#3393](https://togithub.com/sigstore/cosign/issues/3393))\r\n- Fix idempotency error with signing\r\n([#3371](https://togithub.com/sigstore/cosign/issues/3371))\r\n\r\n#### Features\r\n\r\n- Add `--yes` flag `cosign import-key-pair` to skip the overwrite\r\nconfirmation.\r\n([#3383](https://togithub.com/sigstore/cosign/issues/3383))\r\n- Use the timeout flag value in verify\\* commands.\r\n([#3391](https://togithub.com/sigstore/cosign/issues/3391))\r\n- add --private-infrastructure flag\r\n([#3369](https://togithub.com/sigstore/cosign/issues/3369))\r\n\r\n#### Container Updates\r\n\r\n- Bump builder image to use go1.21.4 and add new cosign image tags with\r\nshell ([#3373](https://togithub.com/sigstore/cosign/issues/3373))\r\n\r\n#### Documentation\r\n\r\n- Update SBOM_SPEC.md\r\n([#3358](https://togithub.com/sigstore/cosign/issues/3358))\r\n\r\n#### Contributors\r\n\r\n- Carlos Tadeu Panato Junior\r\n- Dylan Richardson\r\n- Hayden B\r\n- Lily Sturmann\r\n- Nikos Fotiou\r\n- Yonghe Zhao\r\n\r\n###\r\n[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221)\r\n\r\n[Compare\r\nSource](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1)\r\n\r\n**Note: This release comes with a fix for CVE-2023-46737 described in\r\nthis [Github Security\r\nAdvisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).\r\nPlease upgrade to this release ASAP**\r\n\r\n#### Enhancements\r\n\r\n- feat: Support basic auth and bearer auth login to registry\r\n([#3310](https://togithub.com/sigstore/cosign/issues/3310))\r\n- add support for ignoring certificates with pkcs11\r\n([#3334](https://togithub.com/sigstore/cosign/issues/3334))\r\n- Support ReplaceOp in Signatures\r\n([#3315](https://togithub.com/sigstore/cosign/issues/3315))\r\n- feat: added ability to get image digest back via triangulate\r\n([#3255](https://togithub.com/sigstore/cosign/issues/3255))\r\n- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom\r\n([#3247](https://togithub.com/sigstore/cosign/issues/3247))\r\n- feat: add support attaching a Rekor bundle to a container\r\n([#3246](https://togithub.com/sigstore/cosign/issues/3246))\r\n- feat: add support outputting rekor response on signing\r\n([#3248](https://togithub.com/sigstore/cosign/issues/3248))\r\n- feat: improve dockerfile verify subcommand\r\n([#3264](https://togithub.com/sigstore/cosign/issues/3264))\r\n- Add guard flag for experimental OCI 1.1 verify.\r\n([#3272](https://togithub.com/sigstore/cosign/issues/3272))\r\n- Deprecate SBOM attachments\r\n([#3256](https://togithub.com/sigstore/cosign/issues/3256))\r\n- feat: dedent line in cosign copy doc\r\n([#3244](https://togithub.com/sigstore/cosign/issues/3244))\r\n- feat: add platform flag to cosign copy command\r\n([#3234](https://togithub.com/sigstore/cosign/issues/3234))\r\n- Add SLSA 1.0 attestation support to cosign. Closes\r\n[#2860](https://togithub.com/sigstore/cosign/issues/2860)\r\n([#3219](https://togithub.com/sigstore/cosign/issues/3219))\r\n- attest: pass OCI remote opts to att resolver.\r\n([#3225](https://togithub.com/sigstore/cosign/issues/3225))\r\n\r\n#### Bug Fixes\r\n\r\n- Merge pull request from GHSA-vfp6-jrw2-99g9\r\n- fix: allow cosign download sbom when image is absent\r\n([#3245](https://togithub.com/sigstore/cosign/issues/3245))\r\n- ci: add a OCI registry test for referrers support\r\n([#3253](https://togithub.com/sigstore/cosign/issues/3253))\r\n- Fix ReplaceSignatures\r\n([#3292](https://togithub.com/sigstore/cosign/issues/3292))\r\n- Stop using deprecated in_toto.ProvenanceStatement\r\n([#3243](https://togithub.com/sigstore/cosign/issues/3243))\r\n- Fixes\r\n[#3236](https://togithub.com/sigstore/cosign/issues/3236),\r\ndisable SCT checking for a cosign verification when usin…\r\n([#3237](https://togithub.com/sigstore/cosign/issues/3237))\r\n- fix: update error in `SignedEntity` to be more descriptive\r\n([#3233](https://togithub.com/sigstore/cosign/issues/3233))\r\n- Fail timestamp verification if no root is provided\r\n([#3224](https://togithub.com/sigstore/cosign/issues/3224))\r\n\r\n#### Documentation\r\n\r\n- Add some docs about verifying in an air-gapped environment\r\n([#3321](https://togithub.com/sigstore/cosign/issues/3321))\r\n- Update CONTRIBUTING.md\r\n([#3268](https://togithub.com/sigstore/cosign/issues/3268))\r\n- docs: improves the Contribution guidelines\r\n([#3257](https://togithub.com/sigstore/cosign/issues/3257))\r\n- Remove security policy\r\n([#3230](https://togithub.com/sigstore/cosign/issues/3230))\r\n\r\n#### Others\r\n\r\n- Set go to min 1.21 and update dependencies\r\n([#3327](https://togithub.com/sigstore/cosign/issues/3327))\r\n- Update contact for code of conduct\r\n([#3266](https://togithub.com/sigstore/cosign/issues/3266))\r\n- Update .ko.yaml\r\n([#3240](https://togithub.com/sigstore/cosign/issues/3240))\r\n\r\n#### Contributors\r\n\r\n- AdamKorcz\r\n- Andres Galante\r\n- Appu\r\n- Billy Lynch\r\n- Bob Callaway\r\n- Caleb Woodbine\r\n- Carlos Tadeu Panato Junior\r\n- Dylan Richardson\r\n- Gareth Healy\r\n- Hayden B\r\n- John Kjell\r\n- Jon Johnson\r\n- jonvnadelberg\r\n- Luiz Carvalho\r\n- Priya Wadhwa\r\n- Ramkumar Chinchani\r\n- Tosone\r\n- Ville Aikas\r\n- Vishal Choudhary\r\n- ziel\r\n\r\n \r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am\" (UTC), Automerge - At any\r\ntime (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [x] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [sec…"}},{"before":"2a07cd6e3a18cc33ea92b65c88d1aed6d37bda14","after":"8c9ed07f8fd108ae6a7a268e5514c9a0caebb6d5","ref":"refs/heads/main","pushedAt":"2024-04-16T17:21:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"feat: fixes #547: add npm sigstore-tuf suport (#731)\n\nAddresses: https://github.com/slsa-framework/slsa-verifier/issues/547\r\n - [x] Pending: https://github.com/sigstore/sigstore-go/pull/41\r\nUses the new\r\n[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0)\r\n\r\nCurrently slsa-verifier has npmjs' attestation key hardcoded. But\r\nsigstore now stores the same key within their own TUF root.\r\n\r\nThis PR \r\n- dynamically use the keyid specified in the sigstore bundle, rather\r\nthan the hardcoded keyid.\r\n- uses an updated ([pending](\r\nhttps://github.com/sigstore/sigstore-go/pull/41)) sigstore-go library\r\nthat allows us to fetch a signed and verified copy of the same key.\r\n\r\n---------\r\n\r\nSigned-off-by: Ramon Petgrave ","shortMessageHtmlLink":"feat: fixes #547: add npm sigstore-tuf suport (#731)"}},{"before":"bcc39bf21a0dc379ccb7a1b7bb42e3054983b178","after":"2a07cd6e3a18cc33ea92b65c88d1aed6d37bda14","ref":"refs/heads/main","pushedAt":"2024-04-03T00:55:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 (#752)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Change | Age | Adoption | Passing | Confidence |\r\n|---|---|---|---|---|---|\r\n|\r\n[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools)\r\n| `3.9.0` -> `3.11.0` |\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate \r\nCo-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>","shortMessageHtmlLink":"fix(deps): update dependency org.apache.maven.plugin-tools:maven-plug…"}},{"before":"0547bc3002e7017a4b25409ce0e24ec5873653e1","after":"bcc39bf21a0dc379ccb7a1b7bb42e3054983b178","ref":"refs/heads/main","pushedAt":"2024-04-03T00:44:08.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"laurentsimon","name":null,"path":"/laurentsimon","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/64505099?s=80&v=4"},"commit":{"message":"chore(deps): update npm dev (major) (#753)\n\nRedo of https://github.com/slsa-framework/slsa-verifier/pull/654\r\n\r\n- Fix dev-dependencies related to es-lint that the renovate-bot couldn't\r\nauto-fix\r\n\r\n- a few commas automatically added by the new linter\r\n\r\n- use node20 for tests to avoid caompatibility warnings\r\n\r\n```\r\nnpm WARN EBADENGINE Unsupported engine {\r\nnpm WARN EBADENGINE package: '@typescript-eslint/parser@7.5.0',\r\nnpm WARN EBADENGINE required: { node: '^18.18.0 || >=20.0.0' },\r\nnpm WARN EBADENGINE current: { node: 'v16.20.2', npm: '8.19.4' }\r\nnpm WARN EBADENGINE }\r\n```\r\n\r\n---------\r\n\r\nSigned-off-by: Mend Renovate \r\nSigned-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>\r\nCo-authored-by: Mend Renovate ","shortMessageHtmlLink":"chore(deps): update npm dev (major) (#753)"}},{"before":"a8e21d5a83f23dcd08eca759e6b40f2150624b21","after":"0547bc3002e7017a4b25409ce0e24ec5873653e1","ref":"refs/heads/main","pushedAt":"2024-04-02T18:46:09.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ramonpetgrave64","name":"Ramon Petgrave","path":"/ramonpetgrave64","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32398091?s=80&v=4"},"commit":{"message":"fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 (#751)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Change | Age | Adoption | Passing | Confidence |\r\n|---|---|---|---|---|---|\r\n| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) |\r\n`3.9.5` -> `3.9.6` |\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.…"}},{"before":"363e8da4fa3397244f5b5d822ae69885571356c8","after":"a8e21d5a83f23dcd08eca759e6b40f2150624b21","ref":"refs/heads/main","pushedAt":"2024-04-01T15:26:46.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"laurentsimon","name":null,"path":"/laurentsimon","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/64505099?s=80&v=4"},"commit":{"message":"chore(deps): update github-actions (major) (#719)\n\n[](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Type | Update | Change |\r\n|---|---|---|---|\r\n| [actions/checkout](https://togithub.com/actions/checkout) | action |\r\nmajor | `v3.6.0` -> `v4.1.1` |\r\n|\r\n[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)\r\n| action | major | `v3.1.5` -> `v4.2.5` |\r\n|\r\n[actions/download-artifact](https://togithub.com/actions/download-artifact)\r\n| action | major | `v3.0.2` -> `v4.1.4` |\r\n| [actions/setup-node](https://togithub.com/actions/setup-node) | action\r\n| major | `v3` -> `v4` |\r\n| [actions/setup-node](https://togithub.com/actions/setup-node) | action\r\n| major | `v3.8.2` -> `v4.0.2` |\r\n|\r\n[actions/upload-artifact](https://togithub.com/actions/upload-artifact)\r\n| action | major | `v3.1.3` -> `v4.3.1` |\r\n| [github/codeql-action](https://togithub.com/github/codeql-action) |\r\naction | major | `v2.24.8` -> `v3.24.9` |\r\n|\r\n[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action)\r\n| action | major | `v3` -> `v4` |\r\n\r\n---\r\n\r\n> [!WARNING]\r\n> Some dependencies could not be looked up. Check the Dependency\r\nDashboard for more information.\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n\r\nactions/checkout (actions/checkout)
\r\n\r\n###\r\n[`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1)\r\n\r\n##### What's Changed\r\n\r\n- Update CODEOWNERS to Launch team by\r\n[@joshmgross](https://togithub.com/joshmgross) in\r\n[https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510)\r\n- Correct link to GitHub Docs by\r\n[@peterbe](https://togithub.com/peterbe) in\r\n[https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511)\r\n- Link to release page from what's new section by\r\n[@cory-miller](https://togithub.com/cory-miller) in\r\n[https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514)\r\n\r\n##### New Contributors\r\n\r\n- [@joshmgross](https://togithub.com/joshmgross) made their first\r\ncontribution in\r\n[https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510)\r\n- [@peterbe](https://togithub.com/peterbe) made their first\r\ncontribution in\r\n[https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/checkout/compare/v4.1.0...v4.1.1\r\n\r\n###\r\n[`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0)\r\n\r\n- [Add support for partial checkout\r\nfilters](https://togithub.com/actions/checkout/pull/1396)\r\n\r\n###\r\n[`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0)\r\n\r\n- [Support fetching without the --progress\r\noption](https://togithub.com/actions/checkout/pull/1067)\r\n- [Update to node20](https://togithub.com/actions/checkout/pull/1436)\r\n\r\n \r\n\r\n\r\nactions/dependency-review-action\r\n(actions/dependency-review-action)
\r\n\r\n###\r\n[`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5):\r\n4.2.5\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5)\r\n\r\n#### What's Changed\r\n\r\n- Fixed a bug where some configuration options in external files were\r\nnot being properly picked up --\r\n[https://github.com/actions/dependency-review-action/pull/722](https://togithub.com/actions/dependency-review-action/pull/722)\r\n- Bump eslint from 8.56.0 to 8.57.0\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5\r\n\r\n###\r\n[`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4)\r\n\r\n#### What's Changed\r\n\r\nFixed a bug in the output of OpenSSF cards for GitHub Actions.\r\n\r\n#### New Contributors\r\n\r\n- [@sporkmonger](https://togithub.com/sporkmonger) made their\r\nfirst contribution in\r\n[https://github.com/actions/dependency-review-action/pull/721](https://togithub.com/actions/dependency-review-action/pull/721)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4\r\n\r\n###\r\n[`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3):\r\n4.2.3\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3)\r\n\r\n#### What's Changed\r\n\r\n- Set comment as output by [@jsoref](https://togithub.com/jsoref)\r\nin\r\n[https://github.com/actions/dependency-review-action/pull/698](https://togithub.com/actions/dependency-review-action/pull/698)\r\n- Add support for calculating OpenSSF Scorecards by\r\n[@jhutchings1](https://togithub.com/jhutchings1) in\r\n[https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709)\r\n- Add outputs for the changes data by\r\n[@laughedelic](https://togithub.com/laughedelic) in\r\n[https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707)\r\n\r\n#### New Contributors\r\n\r\n- [@jhutchings1](https://togithub.com/jhutchings1) made their\r\nfirst contribution in\r\n[https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709)\r\n- [@laughedelic](https://togithub.com/laughedelic) made their\r\nfirst contribution in\r\n[https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3\r\n\r\n###\r\n[`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3):\r\n4.1.3\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3)\r\n\r\nFixes a bug in 4.1.2 that would introduce comments in every pull\r\nrequest, regardless of the user's configuration (see\r\n[https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)).\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3\r\n\r\n###\r\n[`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2):\r\n4.1.2\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2)\r\n\r\n#### What's Changed\r\n\r\n- Expose dependency comment content by\r\n[@jsoref](https://togithub.com/jsoref) in\r\n[https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2\r\n\r\n###\r\n[`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1):\r\n4.1.1\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1)\r\n\r\n#### What's Changed\r\n\r\n- Bump `undici` to fix\r\n[GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g)\r\n- Bump [@types/node](https://togithub.com/types/node) from\r\n20.11.17 to 20.11.19 by\r\n[@dependabot](https://togithub.com/dependabot) in\r\n[https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1\r\n\r\n###\r\n[`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0):\r\n4.1.0\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0)\r\n\r\n#### What's Changed\r\n\r\n- Add `warn-only` by [@tgrall](https://togithub.com/tgrall) in\r\n[https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432)\r\n\r\nAdded a new configuration option (`warn-only`, boolean) that makes the\r\naction always succeed while still displaying found vulnerabilities in\r\nthe log.\r\n\r\n- Create stale.yaml by\r\n[@jonjanego](https://togithub.com/jonjanego) in\r\n[https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671)\r\n- Use manual codeql config by\r\n[@juxtin](https://togithub.com/juxtin) in\r\n[https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678)\r\n- Multiple dependency updates (see the changelog below for more\r\ninformation)\r\n\r\n#### New Contributors\r\n\r\n- [@jonjanego](https://togithub.com/jonjanego) made their first\r\ncontribution in\r\n[https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671)\r\n- [@tgrall](https://togithub.com/tgrall) made their first\r\ncontribution in\r\n[https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v4...v4.1.0\r\n\r\n###\r\n[`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0)\r\n\r\n- Update action to Node 20 by\r\n[@takost](https://togithub.com/takost) in\r\n[https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639)\r\n- Dependabot updates, see the full changelog for more details.\r\n\r\n#### New Contributors\r\n\r\n- [@takost](https://togithub.com/takost) made their first\r\ncontribution in\r\n[https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0\r\n\r\n \r\n\r\n\r\nactions/download-artifact (actions/download-artifact)
\r\n\r\n###\r\n[`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4)\r\n\r\n##### What's Changed\r\n\r\n- Update\r\n[@actions/artifact](https://togithub.com/actions/artifact) by\r\n[@bethanyj28](https://togithub.com/bethanyj28) in\r\n[https://github.com/actions/download-artifact/pull/307](https://togithub.com/actions/download-artifact/pull/307)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/download-artifact/compare/v4...v4.1.4\r\n\r\n###\r\n[`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3)\r\n\r\n##### What's Changed\r\n\r\n- Update release-new-action-version.yml by\r\n[@konradpabjan](https://togithub.com/konradpabjan) in\r\n[https://github.com/actions/download-artifact/pull/292](https://togithub.com/actions/download-artifact/pull/292)\r\n- Update toolkit dependency with updated unzip logic by\r\n[@bethanyj28](https://togithub.com/bethanyj28) in\r\n[https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299)\r\n- Update\r\n[@actions/artifact](https://togithub.com/actions/artifact) by\r\n[@bethanyj28](https://togithub.com/bethanyj28) in\r\n[https://github.com/actions/download-artifact/pull/303](https://togithub.com/actions/download-artifact/pull/303)\r\n\r\n##### New Contributors\r\n\r\n- [@bethanyj28](https://togithub.com/bethanyj28) made their first\r\ncontribution in\r\n[https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/download-artifact/compare/v4...v4.1.3\r\n\r\n###\r\n[`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2)\r\n\r\n- Bump\r\n[@actions/artifacts](https://togithub.com/actions/artifacts) to\r\nlatest version to include [updated GHES host\r\ncheck](https://togithub.com/actions/toolkit/pull/1648)\r\n\r\n###\r\n[`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1)\r\n\r\n- Fix transient request timeouts\r\n[https://github.com/actions/download-artifact/issues/249](https://togithub.com/actions/download-artifact/issues/249)\r\n- Bump `@actions/artifacts` to latest version\r\n\r\n###\r\n[`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0)\r\n\r\n#### What's Changed\r\n\r\n- Some cleanup by [@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/download-artifact/pull/247](https://togithub.com/actions/download-artifact/pull/247)\r\n- Fix default for run-id by [@stchr](https://togithub.com/stchr)\r\nin\r\n[https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252)\r\n- Support pattern matching to filter artifacts & merge to same directory\r\nby [@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/download-artifact/pull/259](https://togithub.com/actions/download-artifact/pull/259)\r\n\r\n#### New Contributors\r\n\r\n- [@stchr](https://togithub.com/stchr) made their first\r\ncontribution in\r\n[https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/download-artifact/compare/v4...v4.1.0\r\n\r\n###\r\n[`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0)\r\n\r\n#### What's Changed\r\n\r\nThe release of upload-artifact@v4 and download-artifact@v4 are major\r\nchanges to the backend architecture of Artifacts. They have numerous\r\nperformance and behavioral improvements.\r\n\r\nℹ️ However, this is a major update that includes breaking changes.\r\nArtifacts created with versions v3 and below are not compatible with the\r\nv4 actions. Uploads and downloads *must* use the same major actions\r\nversions. There are also key differences from previous versions that may\r\nrequire updates to your workflows.\r\n\r\nFor more information, please see:\r\n\r\n1. The\r\n[changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/)\r\npost.\r\n2. The\r\n[README](https://togithub.com/actions/download-artifact/blob/main/README.md).\r\n3. The [migration\r\ndocumentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md).\r\n4. As well as the underlying npm package,\r\n[@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact)\r\ndocumentation.\r\n\r\n#### New Contributors\r\n\r\n- [@bflad](https://togithub.com/bflad) made their first\r\ncontribution in\r\n[https://github.com/actions/download-artifact/pull/194](https://togithub.com/actions/download-artifact/pull/194)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/download-artifact/compare/v3...v4.0.0\r\n\r\n \r\n\r\n\r\nactions/setup-node (actions/setup-node)
\r\n\r\n### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/setup-node/compare/v3...v4)\r\n\r\n \r\n\r\n\r\nactions/upload-artifact (actions/upload-artifact)
\r\n\r\n###\r\n[`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1)\r\n\r\n- Bump\r\n[@actions/artifacts](https://togithub.com/actions/artifacts) to\r\nlatest version to include [updated GHES host\r\ncheck](https://togithub.com/actions/toolkit/pull/1648)\r\n\r\n###\r\n[`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0)\r\n\r\n##### What's Changed\r\n\r\n- Reorganize upload code in prep for merge logic & add more tests by\r\n[@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504)\r\n- Add sub-action to merge artifacts by\r\n[@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/upload-artifact/compare/v4...v4.3.0\r\n\r\n###\r\n[`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0)\r\n\r\n##### What's Changed\r\n\r\n- Ability to overwrite an Artifact by\r\n[@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/upload-artifact/pull/501](https://togithub.com/actions/upload-artifact/pull/501)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/upload-artifact/compare/v4...v4.2.0\r\n\r\n###\r\n[`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0)\r\n\r\n#### What's Changed\r\n\r\n- Add migrations docs by\r\n[@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/upload-artifact/pull/482](https://togithub.com/actions/upload-artifact/pull/482)\r\n- Update README.md by\r\n[@samuelwine](https://togithub.com/samuelwine) in\r\n[https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492)\r\n- Support artifact-url output by\r\n[@konradpabjan](https://togithub.com/konradpabjan) in\r\n[https://github.com/actions/upload-artifact/pull/496](https://togithub.com/actions/upload-artifact/pull/496)\r\n- Update readme to reflect new 500 artifact per job limit by\r\n[@robherley](https://togithub.com/robherley) in\r\n[https://github.com/actions/upload-artifact/pull/497](https://togithub.com/actions/upload-artifact/pull/497)\r\n\r\n#### New Contributors\r\n\r\n- [@samuelwine](https://togithub.com/samuelwine) made their first\r\ncontribution in\r\n[https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/upload-artifact/compare/v4...v4.1.0\r\n\r\n###\r\n[`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0)\r\n\r\n#### What's Changed\r\n\r\nThe release of upload-artifact@v4 and download-artifact@v4 are major\r\nchanges to the backend architecture of Artifacts. They have numerous\r\nperformance and behavioral improvements.\r\n\r\nFor more information, see the\r\n[@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact)\r\ndocumentation.\r\n\r\n#### New Contributors\r\n\r\n- [@vmjoseph](https://togithub.com/vmjoseph) made their first\r\ncontribution in\r\n[https://github.com/actions/upload-artifact/pull/464](https://togithub.com/actions/upload-artifact/pull/464)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/actions/upload-artifact/compare/v3...v4.0.0\r\n\r\n \r\n\r\n\r\ngithub/codeql-action (github/codeql-action)
\r\n\r\n###\r\n[`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9)\r\n\r\n###\r\n[`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8)\r\n\r\n###\r\n[`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7)\r\n\r\n###\r\n[`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6)\r\n\r\n###\r\n[`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5)\r\n\r\n###\r\n[`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4)\r\n\r\n###\r\n[`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3)\r\n\r\n###\r\n[`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2)\r\n\r\n###\r\n[`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1)\r\n\r\n###\r\n[`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0)\r\n\r\n###\r\n[`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2)\r\n\r\n###\r\n[`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1)\r\n\r\n###\r\n[`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0)\r\n\r\n###\r\n[`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12)\r\n\r\n###\r\n[`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11)\r\n\r\n###\r\n[`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9)\r\n\r\n \r\n\r\n\r\ngolangci/golangci-lint-action\r\n(golangci/golangci-lint-action)
\r\n\r\n###\r\n[`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4)\r\n\r\n[Compare\r\nSource](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4)\r\n\r\n \r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"before 4am on the first day of the\r\nmonth\" (UTC), Automerge - At any time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n👻 **Immortal**: This PR will be recreated if closed unmerged. Get\r\n[config help](https://togithub.com/renovatebot/renovate/discussions) if\r\nthat's undesired.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"chore(deps): update github-actions (major) (#719)"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEUSxY6QA","startCursor":null,"endCursor":null}},"title":"Activity · slsa-framework/slsa-verifier"}